Re: Booting to CD and the handing off to HD
Cristobal, I may have missed some followups to this thread, hope this isn't redundant. If you copy /boot/boot1 to someplace like /root, chmod 500 to make it executable and do an exec /root/boot1 the system will reboot the hard drive, eleminating all bios checks for boot sequence and bypassing the cd boot preference. I haven't gone through a complete sequence of what you need to make this work (i.e. burning a cd, etc) What I have tested is: Dual boot system with microsoft boot loader, Windows 2000 on first partition FreeBSD 5.3b7 on second partition Boot FreeBSD single user exec /root/boot1 There may be all sorts of gotchas in this which you will have to work out, but I think it's a path that might work. Hope this helps Gary I'm going to be working on a firewall box where I want to boot to CD and run an integrity check on the Hard Drive. If the Hard Drive checks out OK, I want the CD to then hand off to the hard drive and boot the hard drive. Is that possible? What man pages and/or web pages should I read to make it happen? ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Booting to CD and the handing off to HD
Thanks to everyone who is providing input on this question. I appreciate it greatly! :) The boot loader idea sounds like it'll have to be what I use. I'll get the CD to write a token to the drive if it checks out, and upon next boot-up, if I can get the CD's boot loader to find the token on the HD, it'll boot the HD instead. Any ideas on how to arrange that one? If I can't get the boot loader to do that, I'll have to resort to making the partition bootable/unbootable to make the selection; although I'd prefer the token. I do agree that one of the best ways to secure the box is to use the secure levels and mount things read-only. I will be doing that, but my goal here is to remove every remote possibility of my machine's compromise lasting beyond a day. I like to go for absolute certainty on security. :) Thx --- Theodore K. Milbaugh [EMAIL PROTECTED] wrote: On Tue, 5 Oct 2004 11:22:47 -0600, Nathan Kinkade [EMAIL PROTECTED] wrote: Regarding booting to the CDROM or HD, I'm not sure I understand the difference between what you are saying and what I said in my previous reply. How can the CDROM boot the machine to the HD? If the machine reboots the BIOS will take control and boot the machine according to it's device priority. If there is a bootable CD in the CDROM device, and the BIOS is set to boot to the CDROM first, how can the machine be made to boot the HD prior to the CDROM? The only possible way I can think of would be to have the CDROM booted OS eject the CDROM tray before reboot, then have the HD booted OS close the CDROM tray again. Nathan The code on the CD can load the bootloader code from the HD, and execute it. I know it is possible, because if you boot off of the SuSE 9.1 Installation CD, it has an option to boot to the HD, and it does work. ___ Do you Yahoo!? Declare Yourself - Register online to vote today! http://vote.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Booting to CD and the handing off to HD
On Wed, Oct 06, 2004 at 11:49:54PM -0700, Cristobal Miguelo wrote: Dear Geert, Thanks for the reply! I wasn't aware of that program and i'll certainly look into it. Do you think I could use mkisofs and do the whole El Torito cd boot thing? Thx -Cristobal Exactly. Take a look at http://www.freesbie.org. There also are firewall-systems that fit on a single floppy, e.g. PicoBSD: http://people.freebsd.org/~picobsd/picobsd.html, which works very nice as well. And of course, Linux has thousands of floppy/cd-based distro's. GH -- :wq ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Booting to CD and the handing off to HD
On Sun, Oct 03, 2004 at 08:58:05PM -0700, Cristobal Miguelo wrote: Hello, I'm going to be working on a firewall box where I want to boot to CD and run an integrity check on the Hard Drive. If the Hard Drive checks out OK, I want the CD to then hand off to the hard drive and boot the hard drive. Is that possible? What man pages and/or web pages should I read to make it happen? Thanks! Cristobal Maybe you could just put the entire thing on a livecd? Your config-files could be on a write-protected floppy-disk. I suggest you use ports/sysutils/freesbie to create your own custom livecd, and make it do something like: mount -o ro /dev/fd0 /floppy mount -t union /floppy /etc GH -- :wq ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Booting to CD and the handing off to HD
On Mon, Oct 04, 2004 at 09:23:31PM -0700, Cristobal Miguelo wrote: On Sun, Oct 03, 2004 at 08:58:05PM -0700, Cristobal Miguelo wrote: Hello, I'm going to be working on a firewall box where I want to boot to CD and run an integrity check on the Hard Drive. If the Hard Drive checks out OK, I want the CD to then hand off to the hard drive and boot the hard drive. Is that possible? What man pages and/or web pages should I read to make it happen? Thanks! Cristobal Well, you could certainly mount the harddisk partitions somewhere in the filesystem while running under the CDROM booted kernel. However, I seriously doubt if you could change the running kernel to that from the harddisk. Why not just reboot to the harddisk after you have finished your diagnostics with the CDROM? Nathan Thanks for the response! I would like to have it completely automated: The machine goes down at 4am for the check and boots to cd, then the cd controls the hand-off to the hard drive. I'd like to have the BIOS setup to only boot the cd and if the HD checks out ok, boot up the HD. That way there is a slim chance that any security breach will last beyond one night on my machine. I seriously doubt a security breach will occur, but I want to close every door imaginable. Anything else that could be done? Thx -C What is the reason that you find it necessary to reboot the machine to a CDROM every morning? Are you sure that there isn't a way to run your checks while booted to the harddisk? I am fairly sure that you will never find a way to have the BIOS selectively boot either the CDROM or the HD based on some OS specific factor, such as a successful check of the HD. I have a feeling that there may be a better way to accomplish your goal without a reboot to CDROM every morning. Will you tell the list more about what you are trying to accompish? Nathan -- PGP Public Key: pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD8527E49 pgpkWgiEpzyNN.pgp Description: PGP signature
RE: Booting to CD and the handing off to HD
Seems you could just mount all the filesystems but /var and /tmp as readonly, set secure level to max, dump all logs to a new log daily, start a new log and do checks on the old logs. That would be my route. Or run a diskless server, or even a live cd of the setup install. -Original Message- From: Nathan Kinkade [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 6:13 PM To: Cristobal Miguelo Cc: [EMAIL PROTECTED] Subject: Re: Booting to CD and the handing off to HD On Mon, Oct 04, 2004 at 09:23:31PM -0700, Cristobal Miguelo wrote: On Sun, Oct 03, 2004 at 08:58:05PM -0700, Cristobal Miguelo wrote: Hello, I'm going to be working on a firewall box where I want to boot to CD and run an integrity check on the Hard Drive. If the Hard Drive checks out OK, I want the CD to then hand off to the hard drive and boot the hard drive. Is that possible? What man pages and/or web pages should I read to make it happen? Thanks! Cristobal Well, you could certainly mount the harddisk partitions somewhere in the filesystem while running under the CDROM booted kernel. However, I seriously doubt if you could change the running kernel to that from the harddisk. Why not just reboot to the harddisk after you have finished your diagnostics with the CDROM? Nathan Thanks for the response! I would like to have it completely automated: The machine goes down at 4am for the check and boots to cd, then the cd controls the hand-off to the hard drive. I'd like to have the BIOS setup to only boot the cd and if the HD checks out ok, boot up the HD. That way there is a slim chance that any security breach will last beyond one night on my machine. I seriously doubt a security breach will occur, but I want to close every door imaginable. Anything else that could be done? Thx -C What is the reason that you find it necessary to reboot the machine to a CDROM every morning? Are you sure that there isn't a way to run your checks while booted to the harddisk? I am fairly sure that you will never find a way to have the BIOS selectively boot either the CDROM or the HD based on some OS specific factor, such as a successful check of the HD. I have a feeling that there may be a better way to accomplish your goal without a reboot to CDROM every morning. Will you tell the list more about what you are trying to accompish? Nathan -- PGP Public Key: pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD8527E49 ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Booting to CD and the handing off to HD
On Tue, 5 Oct 2004 10:12:49 -0600, Nathan Kinkade [EMAIL PROTECTED] wrote: On Mon, Oct 04, 2004 at 09:23:31PM -0700, Cristobal Miguelo wrote: On Sun, Oct 03, 2004 at 08:58:05PM -0700, Cristobal Miguelo wrote: Hello, I would like to have it completely automated: The machine goes down at 4am for the check and boots to cd, then the cd controls the hand-off to the hard drive. I'd like to have the BIOS setup to only boot the cd and if the HD checks out ok, boot up the HD. That way there is a slim chance that any security breach will last beyond one night on my machine. I seriously doubt a security breach will occur, but I want to close every door imaginable. Anything else that could be done? Thx -C What is the reason that you find it necessary to reboot the machine to a CDROM every morning? Are you sure that there isn't a way to run your checks while booted to the harddisk? I am fairly sure that you will never find a way to have the BIOS selectively boot either the CDROM or the HD based on some OS specific factor, such as a successful check of the HD. I have a feeling that there may be a better way to accomplish your goal without a reboot to CDROM every morning. Will you tell the list more about what you are trying to accompish? Nathan Since the code that checks the HD is on a CD, it is unlikely to be compromised. Any check in the running OS could be compromised, which the poster wants to avoid. Also, the BIOS will not be selectively booting to CD or HD, it will only boot to the CD. The CD-based check of the HD will be booting the disk if it checks out okay. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Booting to CD and the handing off to HD
On Tue, Oct 05, 2004 at 12:27:54PM -0400, Theodore K. Milbaugh wrote: On Tue, 5 Oct 2004 10:12:49 -0600, Nathan Kinkade [EMAIL PROTECTED] wrote: On Mon, Oct 04, 2004 at 09:23:31PM -0700, Cristobal Miguelo wrote: On Sun, Oct 03, 2004 at 08:58:05PM -0700, Cristobal Miguelo wrote: Hello, I would like to have it completely automated: The machine goes down at 4am for the check and boots to cd, then the cd controls the hand-off to the hard drive. I'd like to have the BIOS setup to only boot the cd and if the HD checks out ok, boot up the HD. That way there is a slim chance that any security breach will last beyond one night on my machine. I seriously doubt a security breach will occur, but I want to close every door imaginable. Anything else that could be done? Thx -C What is the reason that you find it necessary to reboot the machine to a CDROM every morning? Are you sure that there isn't a way to run your checks while booted to the harddisk? I am fairly sure that you will never find a way to have the BIOS selectively boot either the CDROM or the HD based on some OS specific factor, such as a successful check of the HD. I have a feeling that there may be a better way to accomplish your goal without a reboot to CDROM every morning. Will you tell the list more about what you are trying to accompish? Nathan Since the code that checks the HD is on a CD, it is unlikely to be compromised. Any check in the running OS could be compromised, which the poster wants to avoid. Also, the BIOS will not be selectively booting to CD or HD, it will only boot to the CD. The CD-based check of the HD will be booting the disk if it checks out okay. This still doesn't fully make sense to me. It seems to me that this is looking at security from the wrong direction. It is certainly a good thing to think about how one can mitigate the actions of a cracker after they have already got into the system. However, it seems like a better initial approach to focus on keeping crackers out in the first place, thereby obviating the need to go to extreme measures to avoid alterations to a file on the disk. As was already suggested, I would focus on keeping people out, and then use tools such securelevels, read-only mounted files systems and the like to help protect the system should someone happen to get in. Regarding booting to the CDROM or HD, I'm not sure I understand the difference between what you are saying and what I said in my previous reply. How can the CDROM boot the machine to the HD? If the machine reboots the BIOS will take control and boot the machine according to it's device priority. If there is a bootable CD in the CDROM device, and the BIOS is set to boot to the CDROM first, how can the machine be made to boot the HD prior to the CDROM? The only possible way I can think of would be to have the CDROM booted OS eject the CDROM tray before reboot, then have the HD booted OS close the CDROM tray again. Nathan -- PGP Public Key: pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD8527E49 pgpjOSDl76Pc8.pgp Description: PGP signature
Re: Booting to CD and the handing off to HD
On Tue, 5 Oct 2004 11:22:47 -0600, Nathan Kinkade [EMAIL PROTECTED] wrote: Regarding booting to the CDROM or HD, I'm not sure I understand the difference between what you are saying and what I said in my previous reply. How can the CDROM boot the machine to the HD? If the machine reboots the BIOS will take control and boot the machine according to it's device priority. If there is a bootable CD in the CDROM device, and the BIOS is set to boot to the CDROM first, how can the machine be made to boot the HD prior to the CDROM? The only possible way I can think of would be to have the CDROM booted OS eject the CDROM tray before reboot, then have the HD booted OS close the CDROM tray again. Nathan The code on the CD can load the bootloader code from the HD, and execute it. I know it is possible, because if you boot off of the SuSE 9.1 Installation CD, it has an option to boot to the HD, and it does work. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Booting to CD and the handing off to HD
On Sun, Oct 03, 2004 at 08:58:05PM -0700, Cristobal Miguelo wrote: Hello, I'm going to be working on a firewall box where I want to boot to CD and run an integrity check on the Hard Drive. If the Hard Drive checks out OK, I want the CD to then hand off to the hard drive and boot the hard drive. Is that possible? What man pages and/or web pages should I read to make it happen? Thanks! Cristobal Well, you could certainly mount the harddisk partitions somewhere in the filesystem while running under the CDROM booted kernel. However, I seriously doubt if you could change the running kernel to that from the harddisk. Why not just reboot to the harddisk after you have finished your diagnostics with the CDROM? Nathan -- PGP Public Key: pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD8527E49 pgpkvVNtHJUQG.pgp Description: PGP signature
Re: Booting to CD and the handing off to HD
Thanks for the response! I would like to have it completely automated: The machine goes down at 4am for the check and boots to cd, then the cd controls the hand-off to the hard drive. I'd like to have the BIOS setup to only boot the cd and if the HD checks out ok, boot up the HD. That way there is a slim chance that any security breach will last beyond one night on my machine. I seriously doubt a security breach will occur, but I want to close every door imaginable. Anything else that could be done? Thx -C --- Nathan Kinkade [EMAIL PROTECTED] wrote: On Sun, Oct 03, 2004 at 08:58:05PM -0700, Cristobal Miguelo wrote: Hello, I'm going to be working on a firewall box where I want to boot to CD and run an integrity check on the Hard Drive. If the Hard Drive checks out OK, I want the CD to then hand off to the hard drive and boot the hard drive. Is that possible? What man pages and/or web pages should I read to make it happen? Thanks! Cristobal Well, you could certainly mount the harddisk partitions somewhere in the filesystem while running under the CDROM booted kernel. However, I seriously doubt if you could change the running kernel to that from the harddisk. Why not just reboot to the harddisk after you have finished your diagnostics with the CDROM? Nathan -- PGP Public Key: pgp.mit.edu:11371/pks/lookup?op=getsearch=0xD8527E49 ATTACHMENT part 2 application/pgp-signature __ Do you Yahoo!? New and Improved Yahoo! Mail - Send 10MB messages! http://promotions.yahoo.com/new_mail ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]